问题:
在 Kafka as 上获取错误,并且使用者无法从主题中读取 -- 使用 /10.2.***.* 进行身份验证失败(SSL 握手失败)
葛磊
我使用的是apachekafka最新版本2.3.0,我将kafka部署为多节点集群,并使用SSL进行代理间通信。设置部署到kubernetes
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOU
T WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# see kafka.server.KafkaConfig for additional details and defaults
############################# Server Basics #############################
# The id of the broker. This must be set to a unique integer for each broker.
# broker.id=0
# Switch to enable topic deletion or not, default value is false
#delete.topic.enable=true
############################# Socket Server Settings #############################
# The address the socket server listens on. It will get the value returned from
# java.net.InetAddress.getCanonicalHostName() if not configured.
# FORMAT:
# listeners = security_protocol://host_name:port
# EXAMPLE:
# listeners = PLAINTEXT://your.host.name:9092
listeners=SSL://0.0.0.0:9093,PLAINTEXT://0.0.0.0:9092
# Hostname and port the broker will advertise to producers and consumers. If not set,
# it uses the value for "listeners" if configured. Otherwise, it will use the value
# returned from java.net.InetAddress.getCanonicalHostName().
#advertised.listeners=PLAINTEXT://kafka.hfdevlabs.com:9092
# The number of threads handling network requests
num.network.threads=3
# The number of threads doing disk I/O
num.io.threads=8
# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400
# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400
# The maximum size of a request that the socket server will accept (protection against OOM)
socket.request.max.bytes=104857600
############################# Log Basics #############################
# A comma seperated list of directories under which to store log files
#log.dirs=/data
# The default number of log partitions per topic. More partitions allow greater
# parallelism for consumption, but this will also result in more files across
# the brokers.
num.partitions=1
# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
# This value is recommended to be increased for installations with data dirs located in RAID array.
num.recovery.threads.per.data.dir=1
############################# Log Flush Policy #############################
# Messages are immediately written to the filesystem but by default we only fsync() to sync
# the OS cache lazily. The following configurations control the flush of data to disk.
# There are a few important trade-offs here:
# 1. Durability: Unflushed data may be lost if you are not using replication.
# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to exceessive seeks.
# The settings below allow one to configure the flush policy to flush data after a period of time or
# every N messages (or both). This can be done globally and overridden on a per-topic basis.
# The number of messages to accept before forcing a flush of data to disk
#log.flush.interval.messages=10000
# The maximum amount of time a message can sit in a log before we force a flush
#log.flush.interval.ms=1000
############################# Log Retention Policy #############################
# The following configurations control the disposal of log segments. The policy can
# be set to delete segments after a period of time, or after a given size has accumulated.
# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
# from the end of the log.
# The minimum age of a log file to be eligible for deletion
log.retention.hours=168
# A size-based retention policy for logs. Segments are pruned from the log as long as the remaining
# segments don't drop below log.retention.bytes.
#log.retention.bytes=1073741824
# The maximum size of a log segment file. When this size is reached a new log segment will be created.
log.segment.bytes=1073741824
# The interval at which log segments are checked to see if they can be deleted according
# to the retention policies
log.retention.check.interval.ms=300000
############################# Zookeeper #############################
# Zookeeper connection string (see zookeeper docs for details).
# This is a comma separated host:port pairs, each corresponding to a zk
# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
# You can also append an optional chroot string to the urls to specify the
# root directory for all kafka znodes.
#zookeeper.connect=zookeeper.hfdevlabs.com:2181
# Timeout in ms for connecting to zookeeper
zookeeper.connection.timeout.ms=6000
api.version.request=true
############################# ###################
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.endpoint.identification.algorithm=HTTPS
ssl.client.auth=required
ssl.keystore.type=JKS
ssl.truststore.type=JKS
ssl.secure.random.implementation=SHA1PRNG
########################## Properties #######################
advertised.listeners=SSL://kafka-1.qa.*******.com:9093,PLAINTEXT://kafka-1.qa.******.com:9092
zookeeper.connect=zookeeper-0.zookeeper-headless.default.svc.cluster.local:2181,zookeeper-1.zookeeper-headless.default.svc.cluster.local:2181,zookeeper-2.zookeeper-headless.default.svc.cluster.local:2181
broker.id=1
ssl.keystore.location=/opt/kafka/config/tls/kafka.server.keystore.jks
ssl.keystore.password=******
ssl.key.password=*****
ssl.truststore.location=/opt/kafka/config/tls/kafka.server.truststore.jks
ssl.truststore.password=*****
security.inter.broker.protocol=SSL
log.dirs=/data/kafka-logs
offsets.topic.replication.factor=3
default.replication.factor=3
offsets.retention.minutes=10080
zookeeper.connection.timeout.ms=60000
生成生成器日志的命令对我来说很好
echo "test" | sh kafka-console-producer.sh --broker-list kafka-1.qa.******.com:9092 --topic test
但是,我无法使用日志:
./kafka控制台使用者。sh--引导服务器kafka-1.qa.*****。com:9902--主题测试--从头开始
服务器日志将错误显示为:
[2019-10-25 10:07:55,589] INFO [SocketServer brokerId=1] Failed authentication with /10.2.***.1 (SSL handshake failed) (org.apache.kafka.common.network.Selector)
[2019-10-25 10:07:56,028] INFO [SocketServer brokerId=1] Failed authentication with /10.2.***.0 (SSL handshake failed) (org.apache.kafka.common.network.Selector)
共有1个答案
苏宏峻
我怀疑你的生产者工作,因为你没有提供producer.config包含连接到安全的Kafka集群的信息。
所以CLI producer命令应该如下所示
kafka-console-producer –broker-list kafka.example.com:9093 –topic securing-kafka –producer.config /etc/kafka/producer_ssl.properties message1
和示例 producer_ssl.属性
bootstrap.servers=kafka.example.com:9093
security.protocol=SSL
ssl.truststore.location=/etc/security/tls/kafka.client.truststore.jks
ssl.truststore.password=test1234
ssl.keystore.location=/etc/security/tls/kafka.client.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
CLI kafka消费者相同
kafka-console-consumer –bootstrap-server kafka.example.com:9093 –topic securing-kafka –new-consumer –from-beginning –consumer.config /etc/kafka/consumer_ssl.properties
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
类似资料:
-
我必须在kafka中使用SSL添加加密和身份验证。 这就是我所做的: > < li> 为每个经纪人kafka生成证书: keytools-keystoreserver.keystore.jks别名localhost有效性 创建CA。生成的CA是一个公钥-私钥对,是用于签署其他证书的证书。CA负责签署证书。 使用生成的 CA 对所有代理证书进行签名 从密钥库导出证书: < code > keytoo
-
我目前正在尝试迁移一些Java组件,以通过SSL客户端证书而不是PLAIN方法执行RabbitMQ连接身份验证,但是,几天后,我仍然在努力,因为所有java组件连接尝试都会遇到握手错误。在尝试使用SSL证书时查看RabbitMQ:握手错误,或者在使用SpringAMQP时查看RabbitMQ SSL给握手失败,不幸的是没有为我使用任何结果。 我试图使其工作的环境是一个运行UbuntuLTS14.0
-
我正在尝试获得一个在android上工作的相互认证请求。我正在测试我自己的服务器,所以我有一个自签名的CA和客户端证书。 因此,我将不得不考虑不受信任的服务器证书。 以下是我正在做的: 然后使用AsyncWork来执行请求: 我已经在浏览器和iOS客户端上测试了这个请求,但我无法在Android上运行它。 我认为这是允许不受信任的服务器证书的正确方法: 不知道为什么我得到: javax.net.s
-
出身背景我需要让我的网站通过IdentityServer(IDS)进行身份验证。“example.com” 我正在用DotNetCore构建我所有的网站,用apache在代理服务器上托管它们,让我们调用私有ip12.3.4.5。 它们应该如何工作。我去网站的例子。我应该可以和ids通话。例如。com获取身份验证信息,然后重新路由回示例。具有身份验证令牌的com。相反,我得到了一个SSL握手错误。见
-
我试图用注册时使用的凭证登录。Firebase已经有注册用户的条目。每次我试图登录它显示“登录不成功”,我没有看到任何代码问题。请帮帮忙。
-
我正在构建一个Apache Beam管道,将Kafka作为一个无界源进行阅读。 我能够使用直接运行器在本地运行它。 然而,当在云上使用Google Cloud Dataflow runner运行时,管道会因附加的异常堆栈跟踪而失败。 似乎最终是Conscrypt Java库抛出了。我真的不知道如何解决这个问题。